This article shows the settings on the pfSense and Android device for the always on IPSec VPN. The best article to start with is “https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-client-android.html”. Then compare your settings to those on this page if you need more help than the linked article provides.
The VPN cryptographic settings are:
- Phase 1: IKEv2, Mutual PSK, My Identifier=My IP, Algorithm=AES256-GCM, Key length=128bits, Hash=SHA512, DH=5 (1536 bit).
- Phase 2: Protocol=ESP, Encryption Algorithms=AES 256 bits, Hash Algorithms=SHA512, PFS key group=2 (1024 bits).
Phase 1 Settings:
Phase 2 Networking:
Phase 2 Crypto:
Mobile Client settings (part 1):
Mobile Client settings (part 2):
Pre-Shared Keys. The “identifier” of “allusers” is special, and is the setting you likely/possibly need:
Ensure the VPN for the IPSec interface is permissive enough that you can access what you need:
Finally, the following are the Android (Galaxy) VPN settings. We’re using the Android built-in VPN client which supports “always on”. Get to the location by navigating to “Settings, Connections, More Connection Settings, VPN”. Tap the three dots icon. Select “Add VPN Profile”. The “identifier” can be anything but it makes sense to set it to something meaningful. See the next screenshot for how it appears in the pfSense.
Notice the “key” icon at the top-left of the image above, indicating the VPN is connected.
The following screenshot shows how the smartphone client appears in the pfSense:
Now you should test that the smartphone is working while connected, and review your security settings.